Qualys. 


RESPONSIBLE DISCLOSURE POLICY 


Qualys, Inc has great concern for the security of its cloud platform, application and services which 
we are offering to our customers. If you are a security researcher and have discovered a security 
vulnerability in one of our services, we appreciate your help in disclosing it to us in a responsible 
manner. We will validate and fix vulnerabilities in accordance with our policies. Qualys reserves 
all its legal rights in the event of any noncompliance to the applicable laws and regulations. 


REPORTING: 


If you believe you’ve found a security issue in one of our products or services, please send it to 
us on bugreport@qualys.com along with your contact details and include the following in your 
report: 


e Adescription of the issue and where it is located along with screenshots. 
e A description of the steps required to reproduce the issue. 


Examples of vulnerabilities include, inter alia: 


e Authentication flaws 

e Circumventing of platform and/or privacy permissions 
e Privilege escalations 

e Cross-site scripting (XSS) 

e Cross-site request forgery (CSRF) 

e Server-Side request forgery (XSRF) 

e Injection Attacks (SQL, XML, Json, etc) 

e Business logic Bypass 

e Arbitrary redirect 

e Server-side code execution (RCE) 


RULES FOR FINDING SECURITY VULNERABILITIES 


e Take responsibility and act with extreme care and caution. 
e When investigating the matter, only use methods or techniques that are compliant with 
law and necessary in order to find or demonstrate the weaknesses. Without limiting the 


generality of the foregoing. 


In any event, please refrain from the following: 


e Do not use weaknesses you discover for purposes other than your own investigation. 

e Do not use social engineering to gain access to a system. 

e Do not install any back doors — not even to demonstrate the vulnerability of a system. 
Back doors will weaken the system’s security. 

e Do not alter or delete any information in the system. If you need to copy information for 
your investigation never copy more than you need. If one record is sufficient, do not go 
any further. 

e Do not alter the system in any way. 

e Do not share access or details of any vulnerable system with others. 

e Do not use brute force techniques, such as repeatedly entering passwords, to gain 
access to systems. 


Also refrain from 


e Accessing, Downloading, or Modifying data residing in an account that does not belong 
to you or attempt to do any of the foregoing 

e Executing or Attempting to execute any “Denial of Service” attack 

e Posting, transmitting, uploading, linking to, sending, or storing any malicious software; 

e Testing in a manner that would result in the sending unsolicited or unauthorized junk 
mail, spam, pyramid schemes, or other forms of duplicative or unsolicited messages; 

e Testing ina manner that would degrade the operation of any Qualys properties; or 
testing third-party applications, websites, or services that integrate with or link to 
Qualys properties. 

e Issues with out-dated or unpatched browsers 

e Lack of the Secure flag on non-sensitive cookies 

e Lack of the HTTP Only flag on non-sensitive cookies 

e Security vulnerabilities in third-party websites and applications that integrate with 
issues 

e Vulnerabilities requiring a potential victim to install nonstandard software or otherwise 
take steps to become susceptible to attack 

e Social engineering of vulnerabilities requiring very unlikely user interactions 

e Findings primarily from social engineering (e.g., phishing, vishing) 

e Findings from physical testing such as office access (e.g., open doors, tailgating) 

e UI/UX bugs and spelling mistakes 

e Spamming 

e Disclosure of known public files or directories, (e.g. robots.txt) 

e Click-jacking and issues only exploitable through click-jacking 

e CSRF on forms that are available to anonymous users (e.g. the contact form) 

e Logout Cross-Site Request Forgery (logout CSRF) 


e Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality 
e SSL Attacks such as BEAST, BREACH, Renegotiation attack 

e SSL Forward secrecy not enabled 

e SSL Insecure cipher suites 

e The Anti-MIME-Sniffing header X-Content-Type-Options 

e Missing HTTP security headers 


POINTS TO KEEP IN MIND: 


e Do not put any customer or Qualys data at risk, degrade any of our system’s 
performance. 

e If your actions are intrusive or an attack on our system, we may act against the same 
including reporting them to law enforcement agencies. 

e Qualys reserves its right to initiate legal action against any person and/or report to 
relevant authorities of such person who conduct any Tests or investigations which are 
prohibitive or not in compliance with law or not as per this Policy. 


Do not publicly announce the vulnerability but get in touch with us and give us the time to 
examine the issue. The safety of our customers’ information and assets is our top priority. 
Therefore, we encourage anyone, who have discovered a vulnerability in our systems to act 
instantly and help us improve and strengthen the safety of our sites and systems. 


OUR RECOGNITION 


If you identify a valid security vulnerability in compliance with this Responsible Disclosure Policy, 
Qualys shall — 


e Acknowledge receipt of your vulnerability report 

e Work with you to understand and validate the issue 

e Address the risk as deemed appropriate by Qualys team 
e Work together to prevent cyber-crime. 


Qualys will review the submission to determine if the finding is valid and has not been previously 
reported. Publicly disclosing the submission details of any identified or alleged vulnerability 
without express written consent from Qualys will deem the submission as noncompliant with this 
Responsible Disclosure Policy 
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